Permissions to terminate

I've installed AppDefend and allowed my anti-virus program (KAV). Do I need to also set permissions to allow it to terminate another program? Currently it is set for execution and network access as "allow" all the rest are set as "default." Has anyone put together a list of "recommended permissions" for programs. I have Task Manager set "ask user/allow" so I have to allow it to run. Also, set gss.exe to "ask user/block" for self terminate so it can't be terminated without permission.

 

If you want your AV to be able to react to malware (which you presumably do) then giving it Terminate permission is highly advisable. Otherwise you could have a situation where a detected nasty is allowed to romp all over your system because GSS has suspended KAV while it waits for you to answer a termination prompt.

This applies to process control software and anti-malware scanners generally - the scanners need to be given adequate permission to shut down anything suspicious that they detect.

 

Thanks Paranoid2000.

 

Most AVs I've tried do a very poor job at removing the well written malware, you're really stuck without something like GSS or another HIPS. Either way, once KAV or something else identifies a known nasty, blocking it's execute access with AppDefend and/or changing the default execute action to "block all" would stop the self protecting malware from popping up again combined with blocking it's rewriting access to startup registry items. Or you could just do the latter and reboot....

 

Yes, but does that really apply when flagging malware before it executes? Here presumably a user would have (either mistakenly or through ignorance) answered a GSS prompt allowing it to run, so assuming that it is recognised, permitting the AV to kill it ASAP is the most desireable option (though most malware would trigger further GSS prompts for driver installs, registry changes or network access allowing further chances to halt it without an AV).

I'd agree that a technically knowledgeable user (i.e. one who knows what their system should be running and only allows new items with good cause) could dispense with AV, but most are likely to continue wanting alerts on confirmed malware.